Denys Rudyi - Fotolia
The future of governmental incident response may have arrived -- in Ohio, at least.
The state of Ohio is building a "Cyber Reserve," a civilian cybersecurity reserve force designed to be deployed by the state to help local governments, businesses and critical infrastructure recover from and reduce the impact of cyberattacks, according to a recently passed law.
The Cyber Reserve will operate as part of the the state's defense forces under the command of the Adjutant General, which includes Ohio National Guard, and would be available upon the governor's request to respond to a cyberattack in the state. The bill, signed into law by Ohio governor Mike DeWine in October, comes in the wake of at least three high-profile cyberattacks against Ohio local governments in the past year.
The Cyber Reserve will include a force of 50 initial volunteer civilian cybersecurity experts who will be deployed around the state as needed. The legislation appropriates $100,000 in funding in fiscal year 2020 and $550,000 in fiscal year 2021 to operate the reserve. When on active duty, members of the reserve will be paid similarly to other military personnel with a similar level of training, according to the bill. The reserve has not been built yet, though the state is currently taking applications.
Mark Bell, cybersecurity outreach coordinator for the Ohio Adjutant General's Department, explained the process for how the reserve would be established.
"Recruiting for members is currently underway, and more than 60 individuals have registered for consideration. Many more have expressed interest in the program. Recruiting is ongoing as the teams will be set up in a staggered start," Bell said. "The first two teams will be stood up the end of January 2020, as the bill takes effect 90 days after Gov. Mike DeWine's signature. More teams will be set up throughout Ohio through the rest of 2020."
Bell said that the Cyber Reserve is an initiative of the Ohio Cyber Collaboration Committee (OC3), a partnership of public sector agencies, enterprises and military organizations that was formed three years ago to bolster the state's cybersecurity posture.
"The committee's mission is to provide an environment for collaboration between the key stakeholders to strengthen cyber security for all in the state of Ohio. At the request of the governor, the Adjutant General's Department spearheaded the partnership to develop a stronger cyber security infrastructure and create educational pathways to develop cybersecurity talent," he said.
Moody's Investors Service published a report calling the Cyber Reserve move "credit positive" for the state's local governments. Dan Simpson, an analyst at Moody's, praised the move. "Our perspective is that it's a great positive," he said. "It represents good governing from the state's perspective, it gives the local governments a little more ability to respond to cyberattacks."
Forrester vice president and principal analyst Jeff Pollard said that while it is a good thing for government to play a role in incident response, it should not take complete control and that governments should work alongside the victim and, potentially, incident response companies to address cyberthreats.
"I don't see this as a situation where government displaces or replaces traditional information security firms and information security personnel," he said. "I think the right approach is one where government blends expertise or offers expertise and potentially financial support to companies dealing with this, but doesn't move someone aside."
Moody's assistant vice president and cyber risk analyst Leroy Terrelonge said that the move to establish a Cyber Reserve is more important now than ever before.
"When you're looking at all these regional and local governments that have been increasingly targeted by ransomware attacks and in the past, these ransomware attacks used to be opportunistic, looking for a weak link somewhere," Terrelonge said. "But now they're going after regional and local governments specifically and we've seen a very sharp increase in attacks on regional and local governments in the last few months. And one of the reasons why the Ohio action is so important is that we've seen regional and local governments that have less ability to protect themselves from cyberattacks."
Overall, Pollard said Cyber Reserve's creation was a positive and has the potential to extend beyond Ohio.
"What's going to be interesting is how the model of this shakes out, what it eventually becomes and what it looks like at the end state," Pollard said. "But I think one thing we know is that generally when a state does it or a country does it, others will play copycat, and I think that's what we're going to see here."